Microsoft Readies Security Update CDs

Microsoft is offering an update CD for Windows 98, 98Se, Me, 2000, and XP with all the security updates through October 2003. It's ideal to CYA if you ever have to reinstall Windows or format your drive (not that Windows would EVER require such drastic mesures to continue running properly...); it can also make for a great gift for someone you know who wouldn't order one on his own.

The CD-ROM is meant especially for Windows users with slow, dial-up Internet connections that can make downloading updates a nightmare. However, because the disc offers updates only through October 15, 2003, Microsoft still recommends users go to the Windows Update Web site to get the latest updates.

Windows users can request the Windows Security Update CD from Microsoft's Web site for free (CD and shipping).


Which Linux Distro and Where to Get Them

From Linux.com:
Lately we've received many questions from users wanting to know which distribution they should choose and how to go about obtaining them. Today we've addressed this by pointing to a topic from the forums that should help you get a head start on what's what and where to get it. Read on for more information.


Article from Security Wire Perspectives, Vol. 6, No. 19, March 8, 2004.

The increased reliability and potentially better security of Linux is tempting more than a few frustrated Windows shops to consider jumping ship to the popular open-source OS.

You'll need competent Linux admins and managers to deploy and maintain secure systems. This is critical, since the security of any system is directly proportional to the abilities and experience of the people operating them.

While there are a number of things you'll want your Linux admins to know, they should have the following security-specific skills.

--OS Hardening. This involves reconfiguring core settings, deactivating unneeded programs and tuning the remaining services for better security. In Linux implementations, this also can involve configuring the embedded system-level firewall. These steps will mitigate most known vulnerabilities and neutralize most attacks -- up to 97% in some lab tests.

Freeware applications and tools like Bastille Linux, Titan and the Center for Internet Security's (CIS) Unix security scoring tool help audit the hardening work once it's done. CIS's Linux Benchmark and books like "Building Secure Servers with Linux" are practical, step-by-step guides for hardening Linux and Unix systems.

--System Assessment. Once an OS is hardened, a sysadmin must be able to determine if it has been attacked or compromised. System assessments start with creating a baseline of the normal system and then checking the system against the baseline on a regular basis. This assessment might begin with looking at what programs are running, what user context they're running under, what files they have open, and what their level of resource consumption is.

This process is both highly technical and somewhat intuitive, thus requiring experience and knowledge. A sysadmin must know what information is important and how to gather that information. Experience will tell a sysadmin when something is amiss. Technical skills come into play to discover if the problem is really an attacker or just a system failure, such a faulty hard drive or overloaded application.

--Intelligence Gathering. Next, your sysadmin must be able to gather and manage intelligence specific to your systems' security. A Linux admin needs to know what techniques are used by both attackers and defenders. He must be able to follow the trend data to keep up to date with current attacks. This helps an organization adapt its defensive posture to changing threat conditions.

Of course, security intelligence directly feeds into the first two skill sets. A good Linux or security admin will check sites such as SecurityFocus and Incidents at least once per day for alerts and advisories. Security newsletters published by supporting vendors and media outlets help admins keep up with threat trends.

Where will you get people with such skills? Believe it or not, a good place to start is with your Windows admins, many of whom are closet Linux geeks or have experience on Linux systems. They'll also have a firm understanding of hardening systems, since locking down Windows boxes before they go into production is nearly a necessity.

JAY BEALE is the lead developer of the Bastille Linux project.

Security Wire Perspectives is published by Information Security, the industry's leading magazine for security news and information, and SearchSecurity.com, the Web's best security-specific information resource for enterprise IT professionals.

Why Is My Speedy PC S-l-o-w-i-n-g D-o-w-n?

"All of a sudden my once-fast computer behaves as if a ton of molasses took over its innards. How can I get my speed back?"
Good article here at PCWorld.com posted Wednesday, January 28, 2004 by Lincoln Spector. From the March 2004 issue of PC World magazine. Covers the leading performance-robbing suspects:
  • Spyware
  • Too many active apps
  • New software on old hardware
  • The Registry (Always the prime culprit in my experience)
PCWorld.com downloads page
"How Do I Restore My Windows Registry?"



Sweet, another fun timewaster...
orkut.com is an online community website designed for friends. The main goal of their service is to make your social life, and that of your friends, more active and stimulating. orkut's social network can help you both maintain existing relationships as well as establish new ones by reaching out to people you've never met before. Who you interact with is entirely up to you. Before getting to know an orkut member, you can even see how they're connecting to you through the friends network.

orkut makes it easy to find people who share your hobbies and interests, look for romantic connections or establish new business contacts. You can also create and join a wide variety of online communities to discuss current events, reconnect with old college buddies or even exchange cookie recipes.

To join orkut, simply click on the link in the email sent out (it's by invite only right now) and follow the instructions for creating a user name and password.